Closed mestara closed 10 months ago
NHAS
commented
12 months ago Hi there, definitely agree there should be the ability to make deny/negation rules in wag!
Unfortunately on the redirection side of things. Thats a limitation of the technology, there isnt a way to do this effectively with xdp as I'd have to write my own stack then also do TLS in that, it just isnt feasible to do.
NHAS
commented
10 months ago This is on unstable now. Give it a shot:
"group:nerds": {
"Mfa": [
"192.168.3.4/32",
"10.0.0.0/24",
"thing.internal 443/tcp icmp"
],
"Allow": [
"192.168.3.5/32"
],
"Deny": [
"10.0.0.5/32"
]
}Its important to note that the most specific rule effectively creates a new rule "bucket", so if you do something like:
"group:nerds": {
"Allow": [
"10.0.0.0/24 443/tcp"
],
"Deny": [
"10.0.0.5/32 22/tcp"
]
}Your clients will not be able to access 10.0.0.5/32 443/tcp, as the only rule in the /32 "bucket" is a deny rule. You can solve this by adding the following:
"group:nerds": {
"Allow": [
"10.0.0.0/24 443/tcp"
"10.0.0.5/32 22/tcp"
],
"Deny": [
"10.0.0.5/32 22/tcp"
]
}or
"group:nerds": {
"Allow": [
"10.0.0.0/24 443/tcp"
],
"Deny": [
"10.0.0.0/24 22/tcp"
]
}As then you're adding the deny rule to the /24 "bucket"
It would be nice to have a deny rule in the ACL and a redirect option.
e.g when not yet authenticated via MFA, and trying to access http or https, redirect request to MFA portal to prompt for authentication.
In this particular use case for a deny rule, It's configured to route all traffic (0.0.0.0/0 80/tcp 443/tcp) but theres a couple specific portals that 1 user group should not have access to via port 443, where as a 2nd user group should.